VPN makes Google unavailable

mainstreetmark · Jul 14, 2006

so, when I log in to VPN everything works as advertised, but google becomes unavailable, and likewise all sites with googleads also become unavailable.

Safari gives me a "lost network connection" error after 30 secs.

If I ping google locally, I get the same IP as I get when I ping from the remote server I'm ssh'd into.

I've flushed DNS cache with 'sudo lookupd -flushcache', still no go.

Any thoughts?

theBB · Jul 14, 2006

When you activate VPN (to your company?), does it force your computer to go through the company's name server for everything? If so, maybe server on your company's end might have problems or maybe set up that way on purpose.

mainstreetmark · Jul 14, 2006

no - nothing like that. When I'm physically there, I can get to google just fine.

Queso · Jul 14, 2006

Are you using the built-in VPN client, or a third party one such as Checkpoint or Cisco?

mainstreetmark · Jul 14, 2006

the built in one, as it's free.

Sesshi · Jul 14, 2006

Tried a traceroute? look up your gateway? It may be that the VPN tunnel may have been set to be the conduit to the Internet if I'm phrasing that properly, and routing may not be taking place properly. I have similar problems with the Mac VPN client when on rare occasions I VPN into the server cluster for specific purposes. In Windows I could untick "use default gateway" and that would be fine but I can't spot a similar 'easy way out'. Hope you find what the problem is. And if you do, could you let us know?

mainstreetmark · Jul 14, 2006

the traceroute gets all the way there, and, as expected takes a different route when in VPN.

Queso · Jul 14, 2006

mainstreetmark said:
the built in one, as it's free.

Whatever you dial into could be set to disallow split tunneling, so that your computer is prevented from talking to anything but the VPN whilst connected. As others have suggested, you should connect then try to ping www.google.com from Terminal, which will tell you whether the DNS requests your computer sends out are being resolved. If they aren't, then you probably need to manually enter the DNS server in your office into your Mac's Network settings. Another thing that may work in the office is that your internal network's default gateway allows you to talk out to the 'Net, but the dial in gateway does not. You need to speak to your sys admin.

EDIT: If the traceroute works, all that it tells us is that ICMP traffic is permitted. Is there a web proxy in the office that you can try routing your web queries through?

mainstreetmark · Jul 14, 2006

yeah, I pinged google both locally, and when ssh'd in to the office computers, and both resolve to the same IP. Neat, huh?

mainstreetmark · Jul 20, 2006

So, no one can figure this one out. A Windows machine, logged in as me, seems to work just fine, so the issue appears to be localized to the mac.

Tough going, too, since this is a windows shop.

marnen · Aug 3, 2006

It's a simple enough issue, and it's been addressed many times on this forum and elsewhere. Basically, the problem appears to be that your corporate VPN does not provide access to the Internet as a whole, but rather expects "split routing": traffic to the Internet is routed the way it normally is, while traffic within the VPN goes through the VPN tunnel. Windows XP's VPN client apparently has a simple option to do this. Unfortunately, the same is not true of Mac OS X's VPN client, so you either need to edit your routing files or get another client such as DigiTunnel (excellent but a bit expensive), which supports split routing.

mainstreetmark · Aug 3, 2006

Yes, but as far as i could figure out with digitunnel, you route all of, say, port 80 in or out of the VPN, but as i'm developing web apps inside the network I need port 80 to be "inside".

It's just silly that ALL websites work, except for any website remotely related to google. Even Google Earth and my pop gmail account fail.

marnen · Sep 8, 2006

A slight update to my earlier post in this thread. The Mac OS X VPN client now appears to support split routing.

marnen · Sep 8, 2006

mainstreetmark said:
Yes, but as far as i could figure out with digitunnel, you route all of, say, port 80 in or out of the VPN, but as i'm developing web apps inside the network I need port 80 to be "inside".

Incorrect. DigiTunnel directs traffic through the VPN or not according to IP address, not port number. For example, 192.168.1.* might go through the VPN, while everything else doesn't.

somewhatstunned · Sep 11, 2006

marnen said:
A slight update to my earlier post in this thread. The Mac OS X VPN client now appears to support split routing.

marnen, how does it support split routing? I don't see any option. Do I have to manually do this?

In Linux I can add my ISP's name servers to resolv.conf and that works. The same does not work with OSX.

somewhatstunned · Sep 12, 2006

Ah - found it.

In the InternetConnect.Connect.Options dialog, uncheck "Send all traffic over VPN Connection"

Now google and my ISP mail both work while connected to the VPN.

mainstreetmark · Sep 22, 2006

YES!

That works nicely! So, I guess it knows which stuff needs to be piped through VPN or something? Smart little boxes.

Search

Search

VPN makes Google unavailable

mainstreetmark

macrumors 68020

theBB

macrumors 68020

mainstreetmark

macrumors 68020

Queso

Suspended

mainstreetmark

macrumors 68020

Sesshi

macrumors G3

mainstreetmark

macrumors 68020

Queso

Suspended

mainstreetmark

macrumors 68020

mainstreetmark

macrumors 68020

marnen

macrumors newbie

mainstreetmark

macrumors 68020

marnen

macrumors newbie

marnen

macrumors newbie

somewhatstunned

macrumors member

somewhatstunned

macrumors member

mainstreetmark

macrumors 68020

Our Staff